CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.
Explanation of Vulnerability in Simple Terms
Photo Gallery by 10Web versions up to 1.8.36 lack proper authorization checks, allowing unauthenticated attackers to modify gallery data over the network. The vulnerability requires no user interaction and affects the integrity of stored gallery content. Site administrators should update to a version newer than 1.8.36 to restore proper access controls.
What an attacker can do
Modify gallery content and settings without authentication.
Potential impact on your site
Gallery images, captions, and settings can be altered by anyone without a valid account.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
